Microsoft Azure Stack is an extension of Azure—bringing the agility and innovation of cloud computing to your on-premises environment and enabling the only hybrid cloud that allows you to build and deploy hybrid applications anywhere. We bring together the best of the edge and cloud to deliver Azure services anywhere in your environment.

How to Disable SSL 3.0 in Azure Websites, Roles, and Virtual Machines

Microsoft recently released Security Advisory 3009008 to help address a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol and is not specific to any Microsoft or Azure implementation of the protocol. Azure Websites, Roles, and Windows Virtual Machines enable this protocol by default.
It is possible to disable SSLv3 on the server also. This ensures that all connections use the stronger TLS protocols, but it is important for customers to be aware that users on legacy browsers, which only support SSL 3.0, will no longer be able to connect to the server.
Today we have released guidance on how customers can disable SSL 3.0 in Azure Websites, Roles and Virtual Machines. Customers can disable the protocol in Roles and Virtual Machines now. The feature that allows changes in Azure Website will be live and available for customer to implement on Monday, October 20, 2014. We encourage customers to evaluate the risk of regression before implementing these changes.
Below are the steps you can take to configure your Azure Website, Roles and Virtual Machines to disallow SSL 3.0 connections.

Disable SSL 3.0 in Azure Websites (updated!)

Azure Websites has disabled SSL 3.0 for all sites by default to protect our customers from the vulnerability mentioned before. Customers no longer need to take any action to disable SSL 3.0 in Azure Websites.

Disable SSL 3.0 in Azure Roles (Web Roles or Worker Roles)

The best way to make changes to the underlying operating system in Azure Platform as a Service (PAAS) roles is to use a startup task and redeploy the application. This is the only way to ensure that all role instances receive the configuration and that configuration survives any auto scale or service healing operations. This configuration change can only be made by redeploying the application.
It is highly recommended that the application be thoroughly tested for regressions in staging mode before being VIP Swapped to production.

Step 1: Build the startup scripts and place them in the role configuration

Create a new file DisableSslv3.cmd and place it in the Startup directory of each role’s definition

Update: The script has been updated to optionally set SSL cipher suite order on the server as well.